November Patch Tuesday 2021 Fixes 55 Flaws
Microsoft Releases November 2021 Patch Tuesday Fixes
There are 6 Critical (double than last month) and 49 Important fixes in this release. Updated were included Microsoft Windows and Windows components, 3D Viewer, Azure, Azure RTOS and Sphere, Microsoft Dynamics, Microsoft Office, and Visual Studio and Visual Studio Code and Windows 11 has its second security patch.
Year 2 Extended Support – Windows 7 and Windows Server 2008 (including R2) have received some updates this month. We are really close to the need to review for a third and final year of ESU if you are still using Windows 7 or 2008.
- Windows 7 – 1 Critical and 10 Important fixes
- Windows 2008 R2 – 1 Critical and 14 Important fixes
Robert Brown, Head of Customer Success for Syxsense said, “Overall, this year we have seen a massive drop in the number of fixes addressed by the Patch Tuesday security updates. This is most likely down to the extended support of the Windows 10 Feature Updates throughout 2021, however as Microsoft have launched another business operating system that number is likely to rise again.”
Our suggestion would be to choose which Operating System (10 vs. 11) your business will use for 2022 and stick with it. If your company policy is to stick with Windows 10, we recommend implementing such procedures to stop users from accidentally upgrading their device to Windows 11.
Top November 2021 Patches and Vulnerabilities
Based on the Vendor Severity and CVSS Score, we have made a few recommendations below. As usual, we recommend entering the CVE numbers below into your patch management solution and deploying as soon as possible.
1. CVE-2021-3711: OpenSSL: SM2 Decryption Buffer Overflow
A malicious attacker who is able to present SM2 content for decryption to an application could cause the attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behavior or causing the application to crash.
This vulnerability was released before November but has been reviewed and rescored by NVD.
Syxscore
- Vendor Severity: Critical
- CVSS: 9.8
- Weaponized: No
- Public Aware: No
- Countermeasure: No
Syxscore Risk
- Attack Vector: Network
- Attack Complexity: Low
- Privileges: None
- User Interaction: None
- Scope (Jump Point): No
2. CVE-2021-26443: Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability
A remote code execution vulnerability exists when a VM guest fails to properly handle communication on a VMBus channel. To exploit the vulnerability, an authenticated attacker could send a specially crafted communication on the VMBus channel from the guest VM to the Host. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Syxscore
- Vendor Severity: Critical
- CVSS: 9.0
- Weaponized: No
- Public Aware: No
- Countermeasure: No
Syxscore Risk
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges: Low
- User Interaction: None
- Scope (Jump Point): Changed
3. CVE-2021-38666: Remote Desktop Client Remote Code Execution Vulnerability
An attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system and has been suggested by Microsoft this vulnerability is “More Likely” to be used in an attack.
Syxscore
- Vendor Severity: Critical
- CVSS: 8.8
- Weaponized: No
- Public Aware: No
- Countermeasure: No
Syxscore Risk
- Attack Vector: Network
- Attack Complexity: Low
- Privileges: None
- User Interaction: Required
- Scope (Jump Point): Unchanged
Syxsense Recommendations
Based on the vendor severity and CVSS Score, we have made a few recommendations below which you should prioritize this month. Please pay close attention to any of these which are publicly aware or weaponized.
CVE Reference | Description | Vendor Severity | CVSS Score | Weaponised | Publicly Aware | Countermeasure | Highest Priority |
CVE-2021-42321 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important | 8.8 | Yes | No | No | Yes |
CVE-2021-42292 | Microsoft Excel Security Feature Bypass Vulnerability | Important | 7.8 | Yes | No | No | Yes |
CVE-2021-43208 | 3D Viewer Remote Code Execution Vulnerability | Important | 7.8 | No | Yes | No | Yes |
CVE-2021-43209 | 3D Viewer Remote Code Execution Vulnerability | Important | 7.8 | No | Yes | No | Yes |
CVE-2021-38631 | Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability | Important | 4.4 | No | Yes | No | Yes |
CVE-2021-41371 | Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability | Important | 4.4 | No | Yes | No | Yes |
CVE-2021-3711 | OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow | Critical | 9.8 | No | No | No | Yes |
CVE-2021-26443 | Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability | Critical | 9 | No | No | No | Yes |
CVE-2021-38666 | Remote Desktop Client Remote Code Execution Vulnerability | Critical | 8.8 | No | No | No | Yes |
CVE-2021-42316 | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | Critical | 8.7 | No | No | No | Yes |
CVE-2021-42298 | Microsoft Defender Remote Code Execution Vulnerability | Critical | 7.8 | No | No | No | Yes |
CVE-2021-42279 | Chakra Scripting Engine Memory Corruption Vulnerability | Critical | 4.2 | No | No | No | Yes |
CVE-2021-42275 | Microsoft COM for Windows Remote Code Execution Vulnerability | Important | 8.8 | No | No | No | Yes |
CVE-2021-42283 | NTFS Elevation of Privilege Vulnerability | Important | 8.8 | No | No | No | Yes |
CVE-2021-41366 | Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
CVE-2021-40442 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | |
CVE-2021-42276 | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | |
CVE-2021-42296 | Microsoft Word Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | |
CVE-2021-41367 | NTFS Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
CVE-2021-41370 | NTFS Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
CVE-2021-42322 | Visual Studio Code Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
CVE-2021-42286 | Windows Core Shell SI Host Extension Framework for Composable Shell Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
CVE-2021-36957 | Windows Desktop Bridge Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
CVE-2021-41377 | Windows Fast FAT File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
CVE-2021-42285 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | No | |
CVE-2021-41378 | Windows NTFS Remote Code Execution Vulnerability | Important | 7.8 | No | No | No | |
CVE-2021-41372 | Power BI Report Server Spoofing Vulnerability | Important | 7.6 | No | No | No | |
CVE-2021-42278 | Active Directory Domain Services Elevation of Privilege Vulnerability | Important | 7.5 | No | No | No | |
CVE-2021-42282 | Active Directory Domain Services Elevation of Privilege Vulnerability | Important | 7.5 | No | No | No | |
CVE-2021-42287 | Active Directory Domain Services Elevation of Privilege Vulnerability | Important | 7.5 | No | No | No | |
CVE-2021-42291 | Active Directory Domain Services Elevation of Privilege Vulnerability | Important | 7.5 | No | No | No | |
CVE-2021-41356 | Windows Denial of Service Vulnerability | Important | 7.5 | No | No | No | |
CVE-2021-38665 | Remote Desktop Protocol Client Information Disclosure Vulnerability | Important | 7.4 | No | No | No | |
CVE-2021-42284 | Windows Hyper-V Denial of Service Vulnerability | Important | 6.8 | No | No | No | |
CVE-2021-42274 | Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability | Important | 6.8 | No | No | No | |
CVE-2021-41374 | Azure Sphere Information Disclosure Vulnerability | Important | 6.7 | No | No | No | |
CVE-2021-42302 | Azure RTOS Elevation of Privilege Vulnerability | Important | 6.6 | No | No | No | |
CVE-2021-42303 | Azure RTOS Elevation of Privilege Vulnerability | Important | 6.6 | No | No | No | |
CVE-2021-42304 | Azure RTOS Elevation of Privilege Vulnerability | Important | 6.6 | No | No | No | |
CVE-2021-41349 | Microsoft Exchange Server Spoofing Vulnerability | Important | 6.5 | No | No | No | |
CVE-2021-42305 | Microsoft Exchange Server Spoofing Vulnerability | Important | 6.5 | No | No | No | |
CVE-2021-41368 | Microsoft Access Remote Code Execution Vulnerability | Important | 6.1 | No | No | No | |
CVE-2021-42300 | Azure Sphere Tampering Vulnerability | Important | 6 | No | No | No | |
CVE-2021-42288 | Windows Hello Security Feature Bypass Vulnerability | Important | 5.7 | No | No | No | |
CVE-2021-42277 | Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability | Important | 5.5 | No | No | No | |
CVE-2021-41373 | FS Logix Information Disclosure Vulnerability | Important | 5.5 | No | No | No | |
CVE-2021-42280 | Windows Feedback Hub Elevation of Privilege Vulnerability | Important | 5.5 | No | No | No | |
CVE-2021-41379 | Windows Installer Elevation of Privilege Vulnerability | Important | 5.5 | No | No | No | |
CVE-2021-42319 | Visual Studio Elevation of Privilege Vulnerability | Important | 4.7 | No | No | No | |
CVE-2021-41375 | Azure Sphere Information Disclosure Vulnerability | Important | 4.4 | No | No | No | |
CVE-2021-41351 | Microsoft Edge (Chrome based) Spoofing on IE Mode | Important | 4.3 | No | No | No | |
CVE-2021-26444 | Azure RTOS Information Disclosure Vulnerability | Important | 3.3 | No | No | No | |
CVE-2021-42301 | Azure RTOS Information Disclosure Vulnerability | Important | 3.3 | No | No | No | |
CVE-2021-42323 | Azure RTOS Information Disclosure Vulnerability | Important | 3.3 | No | No | No | |
CVE-2021-41376 | Azure Sphere Information Disclosure Vulnerability | Important | 2.3 | No | No | No |
Experience the Power of Syxsense
Syxsense is a cloud-based solution that helps organizations manage and secure their endpoints with ease. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.